Mailing List & Email List Data Compliance: What Marketers Need to Know (2026)
Purchasing a mailing list or email list is legal in the United States โ but how you use that data is governed by several federal and state regulations. This guide explains what CAN-SPAM, TCPA, CCPA, and GDPR actually require in plain language, and gives you a practical compliance checklist to follow before every campaign.
Want compliant, verified leads? Contact us to get a free sample list →
Is Buying a Mailing List or Email List Legal?
Yes. Purchasing consumer or business contact data from a reputable list provider is legal in the United States. No federal law prohibits buying or using third-party contact data for marketing purposes.
What the law regulates is how you use the data. The key obligations depend on your channel:
Postal direct mail
No federal opt-in requirement. You must honor do-not-mail requests and comply with USPS addressing standards. CCPA applies to California residents.
CAN-SPAM applies to all commercial email sent to US recipients. It is an opt-out law, not opt-in โ prior consent is not required for B2C email in the US. Unsubscribe mechanisms and sender identification are required.
Phone / SMS / text
TCPA applies. Automated calls and texts to mobile numbers generally require prior express written consent. Cold outreach to purchased cell numbers carries significant legal risk without consent verification.
Marketing to EU contacts
GDPR applies regardless of where your business is based. EU contacts require a lawful basis for processing โ typically consent or legitimate interest, with consent being the more defensible basis for purchased-list marketing.
The short version: direct mail and email to US contacts from a reputable list provider is straightforward to do legally. Phone and text campaigns require more care, and EU marketing requires separate consideration.
CAN-SPAM Act: What It Actually Requires
The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act) sets the rules for commercial email in the United States. It is enforced by the FTC and carries penalties of up to $51,744 per violation.
The six core requirements
| Requirement | What it means in practice |
|---|---|
| Honest sender identification | The "From," "To," and routing information must accurately identify who sent the message. No spoofed headers. |
| Non-deceptive subject line | The subject line must reflect the actual content of the email. Misleading subject lines are a direct violation. |
| Ad identification | Commercial emails must be clearly identified as advertising (unless the recipient has given prior consent to receive them). |
| Physical address | Every commercial email must include your valid physical postal address โ a street address, PO Box, or private mailbox registered under commercial mail regulations. |
| Opt-out mechanism | Every email must include a clear, working unsubscribe mechanism. It must be easy to find and free to use (you cannot require payment or excessive personal information to unsubscribe). |
| Honor opt-outs promptly | Opt-out requests must be processed within 10 business days. You cannot charge a fee, require the recipient to log in, or ask them to take more than one step to unsubscribe. |
What CAN-SPAM does NOT require
- Prior opt-in consent from recipients โ CAN-SPAM is an opt-out law
- A double opt-in process
- Prior consent before using purchased email lists for B2C marketing
This is why US B2C email marketing to purchased lists is legal: CAN-SPAM permits unsolicited commercial email as long as the sender follows the rules above. The recipient's right is to opt out after receiving the first email โ not a right to pre-approve being contacted.
TCPA: Phone, SMS, and What It Covers
The Telephone Consumer Protection Act (TCPA) governs telephone calls, automated text messages, and fax marketing. It does not apply to postal mail.
What TCPA covers
- Automated or prerecorded calls to mobile or residential landline numbers
- Text messages sent using an autodialer (including most bulk SMS platforms)
- Unsolicited fax advertising
What TCPA requires for mobile/text outreach
For automated texts or calls to mobile numbers, TCPA generally requires prior express written consent from the recipient. This is a higher bar than CAN-SPAM: the consumer must have specifically agreed to receive marketing texts or calls from you (or a clearly identified category of marketers), typically via a signed form or checkbox at point of contact.
TCPA and purchased lists
If a purchased list includes mobile phone numbers and you plan to use an autodialer or bulk SMS platform, TCPA consent requirements apply. "The list provider said the numbers are opt-in" is not sufficient โ you need documentation that consent was obtained in a TCPA-compliant manner and applies to your specific business or category.
For most small and medium businesses, the lowest-risk approach for purchased list outreach is postal mail or email โ where CAN-SPAM's opt-out framework applies โ rather than automated phone or text campaigns.
CCPA: California Consumer Privacy Act
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents specific rights over their personal data. It applies to for-profit businesses that meet certain thresholds โ including businesses that buy, sell, or share the personal information of 100,000 or more California consumers annually, or that derive 50% or more of revenue from selling personal data.
Key rights under CCPA
- Right to know: Consumers can request to know what personal data a business has collected about them.
- Right to opt out: Consumers can opt out of the "sale" or "sharing" of their personal information for cross-context behavioral advertising.
- Right to delete: Consumers can request deletion of their personal data (with some exceptions).
- Right to correct: Consumers can request correction of inaccurate personal data.
What this means for purchased list users
If you purchase a list that includes California residents, the data broker you purchased from must be registered with the California Privacy Protection Agency (CPPA). Consumers who have exercised their opt-out rights with registered data brokers should have their records suppressed before the list reaches you.
In practice: buy from reputable, CCPA-compliant data providers. Honor any opt-out or deletion requests you receive from California residents promptly. Do not sell or share California resident data you receive through a list purchase to third parties without proper disclosures.
GDPR: When It Applies to US Marketers
The General Data Protection Regulation (GDPR) is EU law โ but it applies based on the location of the data subject, not the location of your business. If you market to anyone located in the EU or EEA, GDPR applies to you regardless of where your company is based.
GDPR and purchased lists
Under GDPR, you need a lawful basis to process personal data. For marketing, the two most common bases are:
| Basis | What it requires | Verdict for purchased lists |
|---|---|---|
| Consent | Freely given, specific, informed, and unambiguous consent from the individual to be contacted by your business for your specific purpose | Difficult to establish with a purchased list โ consent must name your organization specifically |
| Legitimate interest | Your interest in contacting the individual is genuine, necessary, and not overridden by their rights โ requires a documented Legitimate Interest Assessment (LIA) | Possible for highly targeted, relevant B2B outreach; higher risk for broad consumer campaigns |
For most US-focused businesses buying US consumer or B2B lists: if your purchased list contains only US-based contacts, GDPR does not apply. Check with your list provider if you are unsure whether EU contacts are included.
Pre-Campaign Compliance Checklist
Run through this checklist before every campaign that uses purchased list data:
Before you buy
- Confirm the list provider sources data from reputable, disclosed sources
- Confirm the provider is CCPA-registered (for California residents) and CCPA-compliant
- Confirm opt-out suppression is applied at the data level before delivery
- Confirm whether the list includes EU contacts (if so, review GDPR requirements)
- For phone/text campaigns: confirm TCPA consent documentation is available
Before you send (email)
- Your "From" name and email address are accurate and identifiable
- Your subject line accurately reflects the email content
- Your physical postal address is included in the email footer
- A working unsubscribe link is present and easy to find
- Your ESP allows sending to purchased lists
- New opt-outs from previous sends are suppressed
Before you send (postal mail)
- USPS Move Update has been applied (addresses updated or suppressed within 95 days of mailing for Standard Mail)
- Any known do-not-mail requests from previous campaigns are suppressed
- California residents on the list were sourced from a CCPA-registered broker
Ongoing
- Opt-out requests are processed within 10 business days and added to your internal suppression list
- Suppression list is applied to every future campaign โ even if a new list purchase includes the same contact
- Opt-out and deletion requests from California or EU residents are handled promptly
- List data is not shared or resold to third parties
How LeadsPlease Data Is Sourced
LeadsPlease aggregates consumer and business contact data from publicly available and licensed sources, including phone directories, public records, business filings, and self-reported data. Records are compiled, verified, and updated on a rolling basis to maintain accuracy.
LeadsPlease data meets or exceeds the following compliance standards:
- CAN-SPAM compliant โ data is sourced from legally permissible channels; opt-outs are suppressed
- CCPA Ready โ California consumer data is handled in accordance with CCPA requirements; the data broker registration requirement applies to LeadsPlease as the supplier
- GDPR compliant โ US-based data only; EU resident data is not included in standard consumer or business lists
- TCPA compliant โ phone records are cross-referenced against the National Do Not Call (DNC) registry
- SOC 2 compliant โ data handling and security practices are audited
Every list order includes only records that have passed suppression checks. You are still responsible for maintaining your own suppression list after purchase and honoring opt-out requests you receive directly.
Get Compliant, Verified Leads
LeadsPlease data is CAN-SPAM, CCPA, TCPA, and GDPR compliant โ sourced, verified, and suppression-checked before every order.
Frequently Asked Questions
Is buying a mailing list or email list legal?
Yes โ purchasing contact data from a reputable list provider is legal in the United States. No federal law prohibits it. What the law regulates is how you use the data: you must honor opt-out requests, include required disclosures in emails, and comply with applicable regulations for your marketing channel. See the full breakdown above.
Do I need prior consent before emailing a purchased list?
Not for B2C email marketing to US recipients. CAN-SPAM is an opt-out law โ it does not require prior opt-in consent. You can email US contacts from a purchased list as long as you include your physical address, provide a working unsubscribe link, and honor opt-out requests within 10 business days. Note: your ESP may have stricter policies than the law requires โ confirm your platform allows purchased-list campaigns.
What is the difference between CAN-SPAM and GDPR?
CAN-SPAM (US) is an opt-out law: you can contact people first, and they have the right to opt out. GDPR (EU) is an opt-in framework: you need a lawful basis (typically consent or legitimate interest) before processing personal data for marketing. CAN-SPAM applies to US recipients; GDPR applies to EU/EEA residents. If your purchased list contains only US contacts, GDPR does not apply to you.
Can I text or call contacts from a purchased list?
With caution. TCPA requires prior express written consent before sending automated texts or placing robocalls to mobile numbers. If you plan to use bulk SMS or an autodialer with purchased list phone numbers, you need documented consent โ not just a general "opted in to marketing" claim. For lower-risk outreach, use postal mail or email (both governed by less restrictive opt-out frameworks) rather than automated calls or texts.
How do I manage opt-outs from purchased lists?
Add every opt-out to your internal suppression list immediately and process it within 10 business days. Apply the suppression list to every future campaign โ even if a new list purchase includes the same person. Do not charge a fee or require extra steps for unsubscribing. For California residents, honor deletion requests within the CCPA-required timeframe (45 days, extendable by another 45 with notice).
What is a "CCPA Ready" or "CCPA compliant" mailing list?
A CCPA-ready list means the data broker has registered with the California Privacy Protection Agency, applies consumer opt-out requests to the data before it is sold, and provides records in compliance with CCPA requirements. When you purchase a CCPA-ready list, California residents who have exercised their opt-out rights with the broker are already suppressed. You are still responsible for handling any opt-out or deletion requests you receive directly from California consumers after purchase.